SE-united Bloghttps://seunited.wordpress.com
SEunited a place where Social Engineers can come together united to dive deeper into to topics ranging from: Info gathering, Open Source Intel, Se debates, Psych topics and correlation to SE, and a little info sec thrown in on the sideTue, 20 Apr 2010 00:57:54 +0000enhourly1http://wordpress.com/https://s2.wp.com/i/buttonw-com.pngSE-united Bloghttps://seunited.wordpress.com
Why Social Engineering Works (Part 1)https://seunited.wordpress.com/2010/04/19/why-social-engineering-works-part-1/
https://seunited.wordpress.com/2010/04/19/why-social-engineering-works-part-1/#commentsTue, 20 Apr 2010 00:57:54 +0000http://seunited.wordpress.com/?p=122Why Social Engineering Works

By:The_Eccentric

Most company’s don’t really take social engineering seriously. Many penetration testers and computer security experts will tell you most company’s don’t care about security until they get hacked. This is a depressing thing to see and hear for the guys you are entrusted with protecting your company but joyful news to someone who has intent on doing some social engineering attacks on your company. In this weeks post where not focusing on what is Social Engineering but the philosophical question WHY social engineering works and types of targets to exploit using social engineering.

Why perform a social engineer attack?

To test the stability of physical security controls.

To test the level of (and even improve) security conscience among staff.

To give your staff experience at identifying the tactics that social engineers may use.

To teach your staff on how to deal with social engineering situations.

To provide valuable data to support your recommendations on both security awareness training and physical security improvements.

In (part1) we will go through the reasons behind and motivation of “why” along with examples of types of targets to use social engineering exploints against.

Reasons and Motivations

*People follow gernally instructions – If you can convince someone that you are someone in a position of authority, they are more than willing to follow any instructions that you give them, sometimes even if it goes against their better judgement.

*People want to be helpful – For those of us that live in the United States, apologies to my international friends, the environment we live in is very service oriented, it values helping other people and being generous, also it is a basic human nature to want to help others.

* People are trusting by nature – It is also a basic human nature to be trusting people. This sets up prefectly for a social engineer because they are masters in lies and deception. How many times have you seen people willing say yes to most request from you, by just being polite and respectful. This tendency to trust authority persists even in adults. In fact, some people have noticed that simply by pretending that they are important they can get people to regard them as an authority. (Note: 1)

Greed

The “Passwords for candy” law of reciprocal works great here. Also the “I scratch your back you scratch mine” type of logic and “if I give you X amount of money will you give me documents or information about client Y”. People always want to know what’s in it for them, what are they going to be getting out of the deal. Unfortunately this is one of the most unethical but widely used mindsets in todays culture.

Complacency

It’s easier to give people information to get rid of them This type of exploit works good on lone wolfs or the independent worker that can’t stand to work with someone they believe to be less incompetence and or more emotional than themselves. The very thought of groups project annoy’s them. They prefer to avoid having to deal with mundane politics and gossip without logic. Their logic tells them that the quickest and easiest way for them to get you out of their face is give them what you want (intel), so often they would not have to think twice about giving you what you seek just to get rid of you.

Fear(of getting into trouble for not doing their job)

People don’t like confrontations. When your are impersonating someone important or superior the average Joe won’t normally be willing to confront you about your credentials. He or she doesn’t want to risk the embarrassment of looking stupid or fear of loosing his or her job by questioning someone who asserts to have positional authority over them. Doing things such as walking around with confidence and assertiveness, carrying a clip board, wearing the proper clothes, etc all are effective in helping to pull off this role. Just as pets can smell fear humans, people can tell if you are not confident or fearful, so you will be unsuccessful at trying to play the role of someone superior.

Type of targets where social engineer is likely to be successful

In this section, I go a little further in types of targets where social engineering is most likely to success. This is not a golden rule but some good guidelines which you can follow.(This is not intended to offend any individual or group. Please do not take this information out of context)

Elderly People

This has been going on by insurance salesmen for a very long time. Elderly people are very easy to target because they can be more sympathetic and more likely to fall for a charity scam. One that they can relate would be something associated with AARP, Red Cross, American Cancer Society, etc.. The elderly can be kind-heated and overly trusting and easy to confuse with technical talk.

Women

They have been getting exploited with superficial social norms for years ranging from make up, fashion, material possessions, jewelry, etc.. With women your more likely to get far if you attack their emotions (get in touch with your emotional side). Women are more comfortable talking about emotions than about logic. They also pay attention to detail on fashion. Wear some name brand clothing that will help you to get noticed in a positive way, or bring up a converstion on subjects dealing with fashion. One quick way to build some rapport, is to avoid sports and or technical subjects, unless you see evidence that she’s interested in these subjects (wearing a hockey jersey, carrying a laptop, has books on technical subjects, etc.) Complements go far with women. Using compliments or talking fashion normally plays of well when social engineering the lady at the front desk. Try to play off her insecurity’s as-well, Toss light compliments if you envision some steady work at the site. Tell her she looks nice with whatever shes wearing. Pay a lot of attention to detail, especially her hair. If she changes her hair style compliment her on it. Trust me women love the attention. After softening her up in this manner, then see how willingly she beomes to handing over information. I cannott stress this any more don’t OVER do it. You might come off as creepy or seen as being a sexual harasser. You need to be smooth. If you are not smooth today, shadow and learn from someone who is. Its all about progression.

Disgruntled Employees

The only thing worse then getting social engineered is getting social engineered from within your own company. There is no better person to get valuable and accurate information about a company than a person who works inside the company and hates it there. A good way to go about a company your work is to try to befriend employees who seem to be disgruntled. Try to start up conversations with them on topics about work, have an pessimistic view about it to gain rapport quickly. Agree with the negative things they say. After gaining more rapport, ask little yes or no question about their job and other specific things. Try to let them do all the talking. Your are just there to lead them into the areas where you need the information. After a while they should be have spilled all they know about what ever you wanted to know.

(part 2) coming soon….

Also if you have any questions or comments leave in the comment section at the bottom. If want some more real-time contact and want to join the community come join us on IRC. irc.freenode.net #SEunited

The Harvester

Harvester is a great open source intelligence tool (OSINT) for getting emails and user names from public sources such as Google or Linkedin.

When and how is this valuable to the Social Engineering and Intelligence world?

– When conducting passive reconnaissance about you target trying to build a valid target profile which includes a list of user names and email addresses.

– Emails and user names are similar to your real name. They can be used to identify you in the virtual world and or in your workplace. They can lead to identifying your friends, your family, and your social groups. So you can see how valuable it is to have this information in your target profile. Think of email accounts and user names as almost the equivalent to a social security number in the real world. Extremely valuable “if you know what to do with it ;)”

For mining of email accounts go for the conventional choices first:

Personal

@gmail, @hotmail, @aol, @yahoo, etc. Search the internet for common first and last names for both male and female and use variations of these (first.last, first_last, first initial+last, last+first initial)

Work

Use same name approach as above but also add common titles such as admin, abuse, administrator, etc.

User Created – These are from user-groups created expressions username@archlinuxpwns.com

Some good sites you would want user names from in order to build a profile would be:

Using some simple searches and reading I was able to determine that Ballard@bestbuy.com was Shari.Ballard@bestbuy.com who is the Executive Vice President, Retail Channel. As you can see this is a big find off of something simple and easy but yet powerful. Going from there I was able to determine the email addresses of most of the senior executives at BestBuy. I also determined that the email naming convention for bestbuy.com is firstname.lastname.

From this you can take many routes. Add these email addresses to strengthen your target profile, create a good list for spear fishing attacks going for senior executives in the company, as well as having some valuable background information to use should you every get inside the corporate building for further reconnaissance or social engineering.

Passive Reconnaissance Flowchart

Getting deeper into uses of theHarvester assume we have established a Target (Target stage) which is schools and which will be broken down further later in our during process. For the sake of relevance I’m doing three (3) schools around my home area, and to see how deep down the flow chart we can get. Information will be gathered to build a profile for these schools and we will try to transcend from passive reconnaissance to active reconnaissance.

Just like in our example with BestBuy we plug in are schools into the harvester (Tool stage) and see what results we obtain.

As shown above we ran the schools names through the harvester(Source Information stage), just using the end tag of .edu, as you can see lots of email addresses are listed. This is of course typical of the results you can expect from a target like a school. From a social engineering, security, and intelligence perspective this is a gold mine of information for you to capitalize on.

The next step is to document all three categories. A very good multitasking note taking application is Basket Note Pads

Our next step is both manual and time consuming work where we plug all these email addresses into our applications (Plug-in stage) Pipl, Facebook, Twitter, and Blippy. As you can see we have a large number of targets we can choose from but for the sake of demonstration and brevity we will just choose two of them.

From the Louisville section we will go with the one at the top of the list allan.tasman@lousville.edu. Following the flow chart where going to plug this into all four (4) of our applications and see what we get. Based on my experience I can tell you that you will want to focus on the output from pipl.com to determine where to go next.

While we did not get anything back from Twitter, Facebook, or Blippy but with Pipl and we got something to work with and even a picture.

By going to the link seen above, we can determine that he’s a part of the World Psychiatric Association (WPA) Executive Committee this is a very important piece of information.

Scrolling down further we find our guy. So not only do we get important information on him but more importantly we now have information on others in executive positions. This is valuable information for using the Social Engineering Toolkit, also a part of the BackTrack 4 distribution.

Trying one more address, gavin.arteel@lousville.edu and following our flow chart, we put this address into Pipl, and since we have a first and last name, we will try something different on this one. So we plug in his first, last name and since we also have his location we put that into the name section.

This is the way I prefer using Pipl. It acts as a hub and then by breaking it down further on this search we get a little better information and we find a Facebook profile.

By launching the link and entering Facebook, you can see his “Networks” section validates our email and the location of University of Louisville.

We see this guy has some capacity in him having a Philosophical quote in Latin and kinda humorous “Bibo ergo sum” (I drink, therefore I am)

From just an email address we have done pretty well building up a profile on someone. From here you can go further into passive reconnaissance of what friends he has to gathering additional intelligence. This enables us to gain a perspective on what kind of guy he is, what kind of lifestyle leads, or tried to portray, which would help you greatly in building up a fake profile enabling us to move to the next step of direct reconnaissance, which will be covered later.

Wrapping up you can see as I followed the passive recon flow chart how i went from just a school and email addy got tons of Intel to build up leverage and a profile to start planning an attack using theHarvester. This is not a write law way of doing it I’m just trying to simply it to where you don’t have to an Recon Ninja to do.

Tools that where used here

theHarvester

Pipl

Facebook

All where available freely by the internet another reason for loving Open Source Intelligence (OSINT)

This should show you why the information gathering phase is one of the most important parts of a penetration test. But the most over looked most times.

I look forward to further breaking down other framework tools in the near future.

<The_Eccentric> o yeah
<The_Eccentric> for got anyone still wanna know about my social-experiment
<The_Eccentric> quite simple
<The_Eccentric> one but still would like to shar
<The_Eccentric> e
<The_Eccentric> topic *apperance*
<The_Eccentric> and how it plays part of peoples preception and descions
<The_Eccentric> target: two employees @ a local computer shop
<The_Eccentric> about a two week long process
<The_Eccentric> week :1
<The_Eccentric> i was dressed in mediorce clothes (everday, stuff you would wear around the house)
<The_Eccentric> hair was lil messed up
<The_Eccentric> dingy shoes
<The_Eccentric> etc etc
<The_Eccentric> just painting a picture
<The_Eccentric> went in there looking for a tower/case for a computer i was building
<The_Eccentric> pretty small place, asked about the cases he had, small selction to had one model lol
<The_Eccentric> looks like a father son combo working there
<The_Eccentric> father is the dominent one
<The_Eccentric> does all the talking
<The_Eccentric> with out even thinking/second guessing he gave me a price
<The_Eccentric> somthing around 29.99
<The_Eccentric> somewhere around there
<The_Eccentric> ok said i was just looking around so i would come back later
<The_Eccentric> 1 week one over
<The_Eccentric> lol week 1 over*
<The_Eccentric> week 2
<The_Eccentric> i pay close attention to detail to my apperance for sake of the experiment
<The_Eccentric> fresh shower
<The_Eccentric> hair brushed and greased and all
<The_Eccentric> nice clothes you would where out somewhere, make me stand out more
<The_Eccentric> atm had an rental for other reason’s
<The_Eccentric> it was a ‘09
<The_Eccentric> but you get my drift
<The_Eccentric> pull in to the place with making sure it in front of a window, so attention would be focused on my car
<The_Eccentric> also to make a quick judgement for there part
<The_Eccentric> go in i can tell he does remeber me , b/c he speaks as if its my 1st time there
<The_Eccentric> go about the same way ask about the casees
<The_Eccentric> this time
<The_Eccentric> he waits , analyzes his descion,
<The_Eccentric> even gets an second opion with his son
* The_Eccentric is hearing this all in the backround
<The_Eccentric> he comes back out and give me the price of 69.99
<The_Eccentric> lmao
<The_Eccentric> im thinking wtf
<The_Eccentric> but still plays it cool says i will come back later to purchase
<The_Eccentric> jest of the whole experiment, the to workers tried to take advantage of me off just my apperance, b/c the preception was that i was as dave chapplle says “RIICH B***!”

I started this blog because I’ve taken a big interest in the information security section of Social engineering. This area is just a place where I like to dive a little deeper into subject’s from the Social Engineering field all the way to Psychology relating to behaviors and personality’s.

The website is in development will be coming soon, no date yet.

Come join us at the IRC channel ##SEunited at freenode.

A project in the works is the “Information Gathering Framework” will be a good break down reference for information gathering tools used in a simple but efficient methodology about your target.

Here is just a snippet of some information from it:

Types of Information Gathering

-Passive

-Semi-Passive

-Active

Passive:

– Great care is taken to ensure that the target organization does not detect the profiling. This means that no packets can ever be sent to the target.

-This type of profilling is typically time intensive

-NO TRAFFIC

Semi-Passive:

Profiling the target with methods that would apperar to the target as normal intnernet traffic and behavior

NORMAL TRAFFIC

Active:

-This type of profiling should be detected by the target organization.

Catorgries of Information Gathering

-Infrastructure

Every organization with an internet presence requires some form of infrastructure to support that presence. That information is what we want to discover.

Infrastructure profiling is far easier to do and automate than profiling people or (in?) organizations, because it requieres less manual work.

Goal : make a map of the company infrastructure without its knowledge

-People in the Organization

Since every organization needs people to support it and it’s hardware, one of the most interesting question we should ask is “Who runs the company?”. To answer this we must ask “Who runs IT?”, “Who runs finance, and who HR?”. The information we get from the answers to this question is what we seek. Profiling people or organizations is much more difficult then profiling infrastructure, because it requieres a huge amount of manual work (e.g.: “Which John Doe is the right one?”).

So, where do we get these information?

-Public data and records

The internet is also a good source of information, especially if the company has their own website.

Since registering a website reuqieres the use of real personal data, it is sometimes possible to get a lot of information on someone in the company from Whois records, DNS servers etc.

Also while having a presence on the internet, that means there is data uploaded to the page from the target, and sometimes even from the target’s users, which when gathering correctly (knowing where and what for too look is the key), can yield interesting results about the company, and help with profiling it.